topic Re: Strict Exclusion issue in Access Point in QlikView

Strict Exclusion issue in Access Point

Fri, 04 Oct 2013 16:32:39 GMT

Hi Folk,s

There seems to be an issue with Strict Exclusion option in QlikView Access Point.

I've used two reduction fields in Section Access. Data is getting reduced as desired in the desktop version.

However when opened in Access Point, it is throwing 'Access Denied to this document'.

I tried deleting shared and meta files as well, but in vain.
Now question is if I disable Strict Exclusion and if the reduction field data is not available, then the user will be able to see all the data.

Pls let me know if you have any ideas to overcome this issue.

Thanks,

Surendra

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 11:47:23 GMT

Hi Surendra,

I'm using version 11.20 SR4 and I have the same issue.

Did you solve it ?

Regards

Andrea

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 12:05:54 GMT

I can't because if a user have a data value in section access that doesn't match any value in data table he can see ALL data rather than NO DATA and this is the PROBLEM.

That's why I need the strict exclusion option enabled but in this way I can't open the document even for users that should be able to see it.

I didn't use "STAR is" but EMPTY string in section access for those fields for which I have to see all values (NULL included).

How do "STRICT EXCLUSION" really works ?

Regards

Andrea

Re: Re: Strict Exclusion issue in Access Point

IAMDV — Thu, 30 Jan 2014 12:36:02 GMT

Hi,

It works from Desktop client because you have ADMIN access. What kind of SA are you implementing? There must be conflicting access between two fields and it's normal behaviour for SA to deny access when you're using Strict Exclusion option. There is great risk if you don't use Strict Exclusion.

Please provide sample application to assist you.

Cheers,

Re: Re: Strict Exclusion issue in Access Point

IAMDV — Thu, 30 Jan 2014 12:41:17 GMT

Please DON'T uncheck the "Strict Exclusion" option to resolve this issue. If you do it then users will see ALL the data and this might be security breach!

Please see the below thread where I've posted an example on how to implement SA with Strict Exclusion.

http://community.qlik.com/message/247356#247356

Cheers,

www.QlikShare.com

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 14:11:29 GMT

below the section access table from QVD file:

Section Application;

STAR is "#";

[SA BRAND]:

LOAD Distinct [SA BRAND], if([SA BRAND] = '', '#', [SA BRAND]) as [Brand prodotto] Resident [TAB UTENTI];// Where Len(Trim([SA BRAND]))>0;

[SA AGENTE]:

LOAD Distinct [SA AGENTE], if([SA AGENTE] = '', '#', [SA AGENTE]) as [%Codice agente] Resident [TAB UTENTI];// Where Len(Trim([SA AGENTE]))>0;

[SA AM]:

LOAD Distinct [SA AM], if([SA AM] = '', '#', [SA AM]) as [%Codice Area Manager] Resident [TAB UTENTI];// Where Len(Trim([SA AM]))>0;

[SA CLIENTE]:

LOAD Distinct [SA CLIENTE], if([SA CLIENTE] = '', '#', [SA CLIENTE]) as [Codice cliente] Resident [TAB UTENTI];// Where Len(Trim([SA CLIENTE]))>0;

[SA PC]:

LOAD Distinct [SA PC], if([SA PC] = '', '#', [SA PC]) as [%Codice Profit center] Resident [TAB UTENTI];// Where Len(Trim([SA PC]))>0;

[SA TIPOUSER]:

LOAD Distinct TIPOUSER Resident [TAB UTENTI];// Where Len(Trim(TIPOUSER))>0;

in ACCESS POINT the user above can't open the document if the STRICT EXCLUSION is checked

All values listed in reduction fields of section access matches with the section application data values.

I don't understand why I got the below request for user/password:

Can you help me?

Thanks

Andrea

Re: Strict Exclusion issue in Access Point

Thu, 30 Jan 2014 14:47:20 GMT

Hi Andrea, You already have NTNAME, why are you included the USERID , PASSWORD , NTDOMAINSID with *.

The user must be Authenticated with NTNAME to the access point. So you dont need these another values.

I always suggest, please keep only one ReductionField with composite key and this one recommended.

Please go through the below post for more details:

http://community.qlik.com/blogs/qlikviewdesignblog/2012/10/02/complex-authorization

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 15:01:08 GMT

in the section access I also have one admin account (USERID=ADMIN and password=ADMIN) that's why you see this fields.

Did you understand why the user can't open the document ?

Re: Strict Exclusion issue in Access Point

Thu, 30 Jan 2014 15:08:38 GMT

May be USERID and PASSWORD fields are exist in Section Table

Try with * as username & Password

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 15:13:58 GMT

No USERID and PASSWORD doesn't exists in section application.

I didn't undertand the * where I should use it.

Re: Strict Exclusion issue in Access Point

Carlos_Reyes — Thu, 30 Jan 2014 15:22:22 GMT

I think you're having troubles with null values and Strict Exclusion. Review this discussion.

Section Access question

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 15:33:47 GMT

for example the below USER is able to open the document even with STRICT EXCLUSION checked:

why are you talking about null values ?

Re: Strict Exclusion issue in Access Point

Carlos_Reyes — Thu, 30 Jan 2014 15:40:22 GMT

That's strange... In my experience you cannot use null values in the Section Access table for the fields that will be used as filters...

Is that user able to open the document from the AccessPoint? If you use null values there won't be a problem in the Desktop, but you will have problems in the AccessPoint.

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 15:44:38 GMT

yes the user QLIKADMIN can open the document either with desktop and access point.

what value I should use instead of '' in the section access ?

Re: Strict Exclusion issue in Access Point

Thu, 30 Jan 2014 15:47:36 GMT

If the user have null values in the section table, he can't open the application with strict exclusion unless the the reduction field having null value in the data model and this null value connected to other fields data.

Re: Strict Exclusion issue in Access Point

Thu, 30 Jan 2014 15:49:27 GMT

You should use unique word and use the same in the reduction field.

Ex: ALL

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 15:54:05 GMT

as I wrote before, below the script:

SECTION APPLICATION;

STAR is "#";

[SA BRAND]:

LOAD Distinct [SA BRAND], if([SA BRAND] = '', '#', [SA BRAND]) as [Brand prodotto] Resident [TAB UTENTI];

[SA AGENTE]:

LOAD Distinct [SA AGENTE], if([SA AGENTE] = '', '#', [SA AGENTE]) as [%Codice agente] Resident [TAB UTENTI];

[SA AM]:

LOAD Distinct [SA AM], if([SA AM] = '', '#', [SA AM]) as [%Codice Area Manager] Resident [TAB UTENTI];

[SA CLIENTE]:

LOAD Distinct [SA CLIENTE], if([SA CLIENTE] = '', '#', [SA CLIENTE]) as [Codice cliente] Resident [TAB UTENTI];

[SA PC]:

LOAD Distinct [SA PC], if([SA PC] = '', '#', [SA PC]) as [%Codice Profit center] Resident [TAB UTENTI];

[SA TIPOUSER]:

LOAD Distinct TIPOUSER Resident [TAB UTENTI];

Where [TAB UTENTI] is the section access table name.

As you can see in the data model I have the null value for each reduction field.

the question is why the user QLIKADMIN is able to open the document and the user GOMEI can't ?

Re: Strict Exclusion issue in Access Point

Carlos_Reyes — Thu, 30 Jan 2014 16:05:07 GMT

You have to use the values per se... and create all possible combinations that each user is allowed to see... that means equal amount of records.

For instance.. if the ADMIN can see all, and all means 150 different combinations between all your filter fields values... then ADMIN must have 150 records... one for each combination and so for the rest of the users.

I think the next document from HC will be useful so that you can automate as much as possible the process to create all those records.

http://community.qlik.com/blogs/qlikviewdesignblog/2012/10/02/complex-authorization

Re: Strict Exclusion issue in Access Point

agigliotti — Thu, 30 Jan 2014 16:59:48 GMT

I just tried to use ALL instead of null value in section access but no luck.

I can still open the document in AccessPoint only with QLIKADMIN user with STRICT EXCLUSION.

Without STRICT EXCLUSION option I can open the document with all users but no reduction data is taking in place.

What's going on ???

Re: Strict Exclusion issue in Access Point

Thu, 30 Jan 2014 21:20:49 GMT

Hi Andrea, QLIKADMIN is a have ADMIN access.

Please try without START is statement and add all possible combination to Reductionfield like Henric suggested in the below post:

http://community.qlik.com/blogs/qlikviewdesignblog/2012/10/02/complex-authorization